Also  inside;  C  ju'cr  \la|)|)iii'^  i  )i  >iic  I' '  ' 

coMPinilimRLD 


Women  in  IT: 


HOWDEEP 

I5THE 

BENCH? 


Superstar  women  lead  IT  at 
some  of  the  biggest  global 
corporations,  yet  the  path 
to  the  top  isn’t  clear  for  the 
next  generation. 


8660-90i8t  IWaoaaVNNV 
966XOaOd 

n  9NlHS^and3/^JH3^^v^vNaLVN 
SNOiisifiow/xona  axovf 

i||ii.|„,.Hi.,i,ili.,.,....,i.|Mli'’il'MtiH'rl'"lili"' 

ZEO  u  too  0000  #8/80/eeiT2tT# 
oso-a«ioiia-avo»wsii— -  idr8aX8# 


/ 


COMPUTERWORLD 


COVER  STORY 


Women  in  IT: 

How  Deep  Is  the  Bench? 


■ 


Smartphone 
Work  Zone 

20  New  containerization  technologies 
can  help  BYOD  Initiatives  succeed 
by  creating  separate  spaces  on 
smartphones  for  work  and  personal  use. 


Career  Moping 
Done  Right 

24  Specially  designed  holistic 
development  plans  help  tech  workecs 
and  their  employers  navigate  the 
choppy  waters  of  IT  employment. 


HEADS  UP  I  2  smart  meters 

get  an  Fin  privacy.  I  Microsoft 
ry  features  to 


update  Flash  Player  on 


feeling  Sandy’s  wrath  for 

months.  I  S  Statistical 
modeling  techniques  yielded 


cloud  is  broken,  and  we 


HeadsUp 


Microsoft  Adds 
in-MemoryTech 
To  SQL  Server 


Adobe  to  Fix  Flash  on  Patch  Tuesdays 


DOBE  HAS  changed  its  schedule 
for  releasing  Flash  Player  security 
updates  to  coincide  with  Micro- 
soft’s  Patch  Tuesday  schedule. 

“Microsoft  and  Adobe  ate  now  officially 
married,"  joked  Andrew  Storms,  director 
of  security  operations  at  nCitcle  Security,  a 
software  vendor,  in  an  email.  “They  started 
dating  when  they  decided  to  share  the  MAPP 
program,"  and  once  Microsoft  agreed  to 
embed  Flash  into  Internet  Explorer  lo,  it  was 
“inevitable"  that  Adobe  would  begin  following 
Microsoft’s  patch  schedule,  he  said. 

Under  MAPP,  or  the  Microsoft  Active  Pro- 


investments  will  add  up  to  $8  bit- 
lion,  and  its  outlays  for  wired  tech¬ 
nology  will  total  }6  billion. 

ATST  previously  said  that  its  LTE 


released  Flash  bug  fixes  at  irregular  intervals. 

The  lack  of  synchronization  became  an  issue 
after  Microsoft  announced  it  would  bake  Flash 
Player  into  lEio  for  Windows  8  and  its  tablet 
spin-off,  Windows  RT.  Problems  surfaced  in 
September  when  Microsoft  said  it  would  not 
patch  lEio  for  at  least  six  weeks,  even  though 
Adobe  had  issued  updates  the  previous  month 
that  addressed  at  least  one  vulnerability  that 
hackers  were  already  exploiting. 

Microsoft  later  recanted  and  issued  an 
update  to  lEio.  It  then  issued  another  in 
October,  on  the  same  day  Adobe  shipped  its 
Flash  fixes.  Some  criticized  Microsoft  for 


2013.  To  hit  that  goal,  it  plans  to  buy 
more  wireless  spectrum  for  its  LTE 
service.  In  the  22  states  where  it  of¬ 
fers  wired  voice  and  data  services. 
AT&T  plans  to  have  its  LTE  network 
cover  99%  of  all  customer  locations. 

The  carrier  also  plans  to  deploy 
small-cell  technology,  macro  cells 

improve  the  quality  of  its  wireless 

The  initiative,  called  Project  Ve¬ 
locity  IP  (or  Project  VIP),  is  part  of 
the  company  ’s  plan  to  spend  J22 


NEWS  ANALYSIS 


Wmmia»KS 

s-:«^saate; 
8i.«al  'WT 


district  on  Oct.  3( 


Hurricane  Sandy 
Leaves  Wounded 
Servers  Behind 

As  disaster  recovery  firms  struggle  to  restore 
damaged  data  centers,  experts  warn  of 
further  storm-related  breakdowns  in  the 
months  ahead.  By  Patrick  Thibodeau 


foot  facility  at  6o  Hudson  St.  —  are  said  to  ^ 
critical  to  the  nations  infrastructure  because  . 
they  allow  data  sharing  between  users  of  different 

‘‘There  is  a  high  probability  that  your  Internet 
traffic,  every  time  you  go  on  a  website,  passes 
through  111  8th  Ave.  at  some  point,”  said  Michael 
Levy,  an  analyst  at  Datacenters  Tien  Research,  a 
division  <^451  Research. 

“Everybody  just  underestimated  the  strength  of 
the  hurricane,”  said  Todd  Johnson,  vice  president 
of  operations  at  Kroll  Ontrack,  which  provides 


Kroll  were  stiU  working  to  lecover  dau : 
su^es  or  by  spikes  in  power  in  the  New  York  metropolita 


Johnson  said  some  Kroll  Ontrack  customers  found  servers 
sitting  in  water  that  was  10  to  13  feet  deep. 

The  storm-damaged  equipment  ranges  from  desktop 
computers  to  servers,  including  stand-alone  RAID  systems 
running  office  systems  at  midsize  to  large  businesses  located 
in  coastal  areas,  Johnson  said. 

Another  data  recovery  firm.  Drive  Savers,  was  also  still 
working  weeks  after  the  storm  to  restore  waterlogged  drives 
for  its  customers,  said  spokeswoman  Michelle  Ta)dor. 

Experts  say  it’s  possible  that  storm-related  damage  in  data 
centers  could  lead  to  significant  server  problems  down  the 
road.  Data  center  systems  usually  operate  in  controlled  envi¬ 
ronments  with  steady  temperatures  and  humidity  levels,  but 
Sandy  caused  Hooding  that  may  have  damaged  the  systems 
that  control  heating  and  cooling  equipment. 

One  data  center  reported  temperatures  rising  above  100 


ATA  RECOVERY  experts  have  been  busy  in  the  wake 
of  Hurricane  Sandy,  which  left  a  slew  of  data  centers 
I  underwater,  damaging  equipment  and  posing  a  sig¬ 
nificant  threat  to  business-critical  data. 

Af^^ently  disregarding  weather  forecasters’ 


, . .  degrees  Fahrenheit  as  staffers  scrambled  to  repair  a  generator. 

By  breaking  the  environmental  cocoons  that  protect  IT 
equipment,  the  storm  may  have  wounded  some  servers  and  set 
them  up  for  component  failures  weeks  or  months  from  now,  said 
Scott  Kinka,  CTO  of  cloud  services  provider  Evolve  IP. 

If  equipment  operates  at  higher-than-recommended  tempera¬ 
tures,  it  could  face  a  higher  risk  of  component  failure,  and  data 
center  managers  might  see  an  uptick  in  component  problems. 


Analytics  Star 
In  2012  Election 

Spot-on  forecasts  by  quantitative  analysts 
are  hailed  as  ‘a  triumph  of  science  over 
punditry.’  By  Jaikumar  Vijayan 


1  started  producing  my  forecast  in  late  May,  the  historical 
mode!  that  I  uras  using  showed  that  Obama  would  get  about  52% 
of  the  major  party  vote.” 

David  Rothschild,  chief  economist  at  Microsoft  and  developer 
of  the  model  used  by  Yahoos  The  Signal  blog,  which  also  accu¬ 
rately  predicted  the  outcome  of  the  presidential  race,  called  the 
forecast  “a  triumph  c^  science  ewer  punditry.” 

Back  in  February,  before  Mitt  Romney  had  secured  the  Repub¬ 
lican  nomination,  The  Signal  had  a  baseline  forecast  predictitig 

Rothschild  said  his  model  creates  a  baseline  by  evaluating  his¬ 
torical  dau,  sute-level  economic  indicators  and  factors  like  the 
piesidrat’s  approval  rating  and  the  advantages  of  incumbency. 

“For  most  of  the  election  cycle,  we  had  Obama  at  around  303 
[Electoral  College  votesl,"  Rothschild  said. 

Ultimately,  the  accuracy  of  the  polls  made  all  the  dififerenoe, 
said  Josh  Putnam,  a  visitii^  {wofossor  of  political  science  at 
Davidson  College  and  author  of  FHQ,  another  Uog  that  early  on 
predicted  a  332-206  Obama  electoral  vote  vkte^.  If  the  polls  had 
been  wrong,  the  forecasts  would  have  been  wrong  as  well,  he  said. 

Putnam  didn’t  use  statistical  models;  he  simply  abrogated 
state-level  pc^l  data  to  arrive  at  his  forecasts. 

“It  was  not  very  complicated,"  he  said.  “My  fmecasts  were 
based  simply  on  a  weighted  average  of  poll  data.”  ♦ 


When  I  started  prodiiring  my  forecast  m  late  May.  the  historiral  model  that  I  was 
using  shov.t  a  ihar  Obama  would  get  about  52%  of  ilo-  maim  i' ii  ly  vote." 


^■4 

V. 

>\ 


a 


Catherine  J. 
Bruno 


This  CIO  helps  steer 
a  multimillion-dollar 
grant  program 
that  leverages  IT  to 
improve  healthcare. 


Family:  Married  for  35  years,  with 
three  adult  children  and  three 
grandchildren. 


Catherine  Bruno  accepts  an  MIT  Sloan  CIO  Symposium  award  from 
Sloan  School  Dean  Emeritus  Glen  L.  Urban  in  May  2012. 


data  for 


Data  takes  you  on  a  journey.  Hetping  people  use  it  to 
reach  a  destination  is  what  we  do. 

When  used  efficiently  and  effectively,  data  can  improve  lives. 
From  developing  software  for  designing  smooth  and  reliable 
flight  routes,  to  creating  automotive  systems  that  alert  drivers 
of  toad  hazards  sooner,  we  help  navigators  arrive  safely.  If  you’re 
looking  for  a  global  partner  with  the  expertise  to  create  unique 
rr  solutions  and  consulting  for  your  business  and  customers, 
NTT  DATA  is  for  you.  Get  to  know  us  at  nttdata.com. 

data  for:  the  people 

NTToaxa 

Global  IT  Innovator 


THE  GRILL  |  CATHERINE  J.  BRUNO 


U  The  challenge 
when  you 
have  growth 

like  we  had  [in 
staff  size  and  projects]  is 
developing  management 
leadership  skills  as  quickly 
as  you  grow. 


care  of  our  patients, 

regulatory  require¬ 
ments,  that  we’re  able 
to  take  that  informa¬ 
tion  and  then  aiulyze 
it  to  improve  the  care 
we  ofier.  And  we  have 
been  able  to  leverage 
that  for  the  $12.75 
million  grant  for  the 
Bangor  Beacon  Com¬ 
munity.  That  money, 
from  the  Office  of  the 
National  Coordina¬ 
tor  for  Health  IT, 
goes  toward  improv¬ 
ing  people's  health 
through  care  manage¬ 
ment  facilitated  by  in¬ 
formation  technology. 
We  chose  four  chronic 
diseases  —  diabetes, 
asthma,  congestive 

chronic  obstructive 
puhmnary  disease 
—  and  our  primary 
care  practices,  EMHS 
and  our  commu¬ 
nity  partners  use  care 
management  and  elec¬ 
tronic  health  records 
to  identify  the  issues 
with  these  chronic  pa¬ 
tients.  [As  a  result]  we 
reduced  hospitaliza¬ 
tions  and  ER  visits  by 
40%  within  the  first 
year  of  the  grant. 


from  the  key  leaders  in  the  community,  and  then  we 
provided  strong  project  management  services  and  data 
analysis  services  that  helped  staff  get  the  woik  done. 
We  would  follow  up  on  milestones.  We  managed  it  like 
a  collection  of  projects,  and  bringing  that  project  man¬ 
agement  discii^ne  was  part  of  the  success  as  well. 


Whan  ywr  Mncst  dialltw  iMvIaitonnrd 

as  CIO?  The  pace  of  change  has  been  accelerating, 
especially  in  healthcare.  There’s  a  lot  of  opportunity 
to  expand  and  improve  our  electronic  he^th  records. 
We  have  regulatory  projects  like  the  move  from  ICD-9 
to  lCD-10.  It’s  how  we  code  to  be  able  to  tell  the  insur- 
atKe  companies  what  we  did.  It’s  like  a  Year  2000 
project  because  of  the  format  and  the  size  of  the  field 
of  the  changes,  and  they’re  ubiquitous  in  our  systems. 
We’re  doing  that  with  a  deadline  of  Oct.  i,  2014.  On 
the  electronic  records  side,  we  have  meaningful-use 
incentives  and  requirements  for  that,  and  EMHS  is  a 
pioneer  accountaUe  care  organization,  so  we’re  devel- 
opng  new  systems  and  partnerships  for  that. 


What  Is  your  secret  to  fwceed  in  those  areas?  It’s 

not  really  a  secret  You  surround  yourself  with  great 

people.  The  challenge  when  you  have  growth  like  we 
had,  in  terms  of  size  of  our  staff  and  the  number  and 
complexity  of  projects,  is  developing  management 
leadership  skills  as  quickly  as  you  grow.  Fortunately, 
I’ve  got  strong  folks  in  the  leadership  roles  at  EMHS. 
That’s  the  key,  because  it’s  my  job  to  make  sure 
they’re  going  in  the  right  direction  and  they  know 
what  the  strategy  is. 

You’re  an  executive  sponsor.  How  does  that  differ 
from  being  a  CIO?  For  the  Bangor  Beacon  Commu¬ 
nity,  the  executive  sponsor  is  like  being  the  CEO  for 
the  grant.  I  was  responsible  for  [ensuring]  that  the 
grant  was  organized,  that  we  had  appropriate  gover¬ 
nance  and  project  management,  that  it  was  executed 
appropriately  and  according  to  what  we  said  we  were 
going  to  do  on  the  grant  application. 


diallence  hi  gettinf  this  done?  Traditionally  we  have 
worked  in  silos;  there  hasn’t  been  an  information 
Sow  among  the  various  healthcare  oiganizations 
in  a  community.  So  one  of  the  things  we  did  in  the 
Bangor  Beacon  Community  is  share  information 
among  the  practices  and  other  hospitals  in  town.  We 
had  to  build  structures  and  governance  to  facilitate 
that  collaboration  and  put  structures  in  place  for  that 
information  fiow. 

What’s  the  big  take-asny  from  that  expcrtance?  The 

key  methodology  I  used  was  to  make  sure  that  the 
leaders  of  the  oiganizations  were  involved  and  they 
chose  clinicians  and  cate  managers  and  other  people 
in  their  oiganizations  to  be  involved  with  the  grant 
and  that  everything  was  open  and  transparent.  We 
had  a  retreat  to  kick  it  off  to  make  sure  we  bad  buy-in 


You  earned  an  MBA  in  finance.  What  does  that 
degree  give  you  that  an  IT  leader  can’t  get  on  the 
job?  It  really  gives  you  a  broad  business  background, 
and  the  nice  thing  about  the  finance  concentration 
is  you  can  talk  to  chief  financial  officers.  1  thought 
about  being  a  CFO  when  1  got  out  iff  school,  but  1 
really  fell  in  love  with  the  information  systems  piece. 
And  1  think  [the  degree  has  been)  very  valuable  in 
securing  the  resources  we  need  to  get  all  this  work 
done  in  IS.  It  helped  me  to  move  into  management, 
relate  to  terminology,  the  decision-making  process, 
all  those  kinds  of  things.  I  would  actually  recom¬ 
mend  an  MBA  for  someone  who  wants  to  be  a  CIO 
rather  than  a  master’s  in  IS.  * 

—  Interview  by  Computerworld  conlributiitg  upriter 
Mary  K.  Pratt  (marykpratt@verizon.nel) 


Three  ways  to  prevent  human  error  in  IT  spaces! 

Q>  Make  the  most  of  your  IT  space!  Download 
our  Top  3  solution  design  guides  today  and 
enter  to  win  an  iPad  2. 


APC 


132  FAIRGROUNDS  ROAD 
WEST  KINGSTON  Rl  02892-9901 


. . . . . . . 


Simple.  Adaptable. 


Easy-to-deploy  IT  physical  infrastructure  mfra^^tru 


Make  the  most  of  your  IT  space! 

Download  our  Top  3  solution  design  guides  today  and 
enter  to  win  an  iPad  ‘  Z 

Visit  www.apc.com/profno  Key  Code:  w733v  Call:  888-289-APC 


-  OPINION 

THORIiroNA.MAY 

Can  Infosec  Cure  Stupid? 


My  colleges 
quite  rightly 
counsel  me 
not  to  throw 
around  the 
word ‘stupid; 
but  sometimes 
no  other  will 
suffice. 


TlionitoaA.May 

is  author  of  7)ie  Mm 
Know:  Innovation 
Powered  by  Anaiytks 
and  enecutive  director 
of  the  IT  Leadership 
Academy  at  Florida 
State  College  in 
Jacksonville.  You 
can  contact  him  at 
thormonamay@aol.com 
or  follow  him  on  Twitter 
(@deanitla). 


IS  THE  WORLD  DIGITIZING  faster  than  we  can  handle  it?  As  a  very  fre¬ 
quent  flier  (I’m  on  a  plane  about  280  days  a  year),  I  find  that  on  just 
about  any  fli^t  (you  name  the  continent),  in  just  about  every  row, 
passengers  of  every  generation  are  actively  engaged  with  a  vast  variety 


of  digital  apparatuses  to  either  increase  stimuli 
(music,  vi^,  e-boc^),  reduce  stimuli  (the 
blessed  Bose  noise-canceling  earphones),  buy  or 
sell  somethii^.  ch-  get  work  done. 

But  despite  the  ubiquity  of  the  devices,  hardly 
any  of  these  people  understand  how  all  this  gear 
woiks,  where  all  the  data  that  makes  this  magic 
happen  oxnes  from,  how  to  fis  things  when  they 
break  and  the  implications  of  our  techndogy  usage 
behaviors  cm  informaticHi  security  and  privacy.  This 
is  the  bomb  that’s  ticking  away  in  every  infosec 
manager’s  nightmare:  user  ignorance.  The  questicm 
hieing  not  just  chief  information  security  officers 
but  all  of  us  is,  “How  do  we  fix  stupid?” 

My  colleagues  in  academia  and  my  handlers 
at  Computenvorld  quite  rightly  counsel  me  not  to 
throw  around  the  word  stupid  in  print  or  online. 
Sometimes,  tboi^,  no  other  word  suffices.  What 
other  term  can  be  applied  to  the  employees  and 
contractors  at  the  Pentagon’s  Missile  Defense 
Agency  (MDA)  who  were  "chided  for  using  gov¬ 
ernment  conqniters  to  surf  pom”? 

Unlike  employees  the  MDA,  most  of  us  don’t 
play  a  major  role  in  this  nation’s  ground-  and  sea- 
based  missile  defense  programs.  But  our  stupidity 

can  nonetheless  threaten  our  companies’  security. 

if  not  the  nation’s.  Take  BYOD.  Most  often  we 
focus  on  the  “D,”  meaning  the  device,  but  we’d  do 
well  to  give  some  regard  to  the  “B”  of  "bring."  Yes, 
users  have  a  panting-dog  desire  to  bring  the  device 
of  their  dreams  with  them  wherever  they  go,  but 
a  surprisingly  large  number  of  them  occasionally 
leave  their  devices  behind.  According  to  a  report 
from  the  Poneroon  Institute,  "Airport  Insecurity: 


The  Case  of  Lost  Laptops,”  up  to  600,000  laptops 
are  left  behind  in  America’s  airports  every  year. 

In  New  York  City  alone,  in  the  early  days  of  the 
smartphone  revolution,  busy  folk  left  31,544 
phones  in  cabs  during  one  six-month  period.  Do 
we  even  need  to  talk  about  the  number  erf^USB 
drives  left  with  dry  cleaners? 

As  stupid  as  all  of  that  sounds,  it’s  not  the  kind 
of  stupidity  I’m  really  worried  about.  My  deep 
concern  is  the  systemic  stupidity  that  arises  from 
the  fact  that  only  a  tiny  fraction  of  the  people 
living  in  this  technologically  complex  world  actu¬ 
ally  understand  how  any  of  this  stuff  works. 

Personally,  I  acknowledge  that  I  have  been 
guilty  of  this  kind  of  stupidity.  But  having  rec¬ 
ognized  that  1  am  not  the  sharpest  knife  in  the 
drawer,  I  try  to  identify  the  sharp  knives  of  my 
acquaintance  and  ask  them  how  to  hone  my  edge. 
The  first  step  on  the  path  out  of  stupidity  and 
toward  information  security  is  to  create  an  infosec 
brain  trust:  a  group  of  people  who  are  strategical¬ 
ly,  operationally  and  technically  aware,  and  who 
are  willing  to  answer  your  questions.  Questions 
like,  “Does  this  seem  stupid  to  you?” 

My  brain  trust  consists  of  Dennis  Devlin,  of 
Information  Security  and  Compliance  Services  at 
George  Washington  University;  Malcolm  Harkins, 
CISC  and  general  manager  of  information  risk 
and  security  at  Intel;  Eddie  Schwartz,  CISO  at 
RSA;  Steve  Collignon,  CISO  at  EIT  Shared  Ser- 
vkes/ES  Cardinal  Health;  and  Peter  Zuemg,  CISO 

Who  are  your  go-to  infosec  “smarties,”  and  what 
are  they  telling  you?  I'd  love  to  compare  notes.  ♦ 


10  CO«P»T..WO»lO  NOVEMBER  1». 


IS  YOUR 

IT  DEPARTMENT 
AGREATPUa 
TOUIORK? 

Computerworld’s  20th  annual  Best  Places  to 
Work  in  IT  list  and  special  report  will  honor 
100  organizations  that  offer  great  benefits, 
salaries  and  opportunities  for  training  and 
advancement,  as  well  as  interesting  projects 
and  a  flexible  and  diverse  work  environment. 


Nominate  an  organization  now  through  Dec.  13^  2012 

https://response.qLiestback.com/idg/bpnoms2013/ 


COVER  STORY 


12 


Superstar  wotmn 
lead  IT  at  some  of 
the  biggest  global 
corporations, 
yet  the  path 
to  the  top  isn’t 
clear  for  the  next 
generation. 

BY  TRACY  MAYOR 


inlT: 

HOWDEEP 

BENCH? 


U 


RSULA  BURNS  at  Xerox.  Ellen  Kullma 
at  EhiPont.  Ginni  Rometty  at  IBM. 

famously,  Marissa  Mayer 
with  a  baby  on  board  and  a 
Twitterstream  in  tow. 


_  t  a  pxxninent  technology 

company,  the  industry  breathes  a  $i^  of  relief  and  pats 
itself  on  the  back.  See?  Self-procUimed  “girl  geeks”  like 
Mayn*  really  can  survive  and  thrive  in  IT  and  research. 

Add  to  that  the  fact  that  mofe  female  CIOs  than  ever  are 
leading  the  tech  charge  at  Fortune  500  companies  like  Ex3K»i 
Mol^  Boeing,  Dell,  Walmart,  Bank  of  America,  Xerox  and 
GE,  and  it  s  easy  to  conclude  that  change  really  has  come  to  one 
of  the  last  male-dominated  boxes  on  the  corporate  org  chart. 


13 


Twice  the  virtualization. 

Lower  management  costs. 

None  of  the  compromises. 

You've  been  looking  for  IT  solutions  that  meet  the  increasingly  sophisticated  demands 
on  your  infrastructure.  iBM  Flex  System,™  featuring  InteP  Xeon®  processors,  provides 
simplicity,  flexibility  and  control  in  a  system  that  doesn’t  require  compromise. 

It  supports  up  fo  twice  the  number  of  virtual  machines  as  the  previous  generation  of 
blade  servers.'  And  IBM  Flex  System  Manager™  can  help  reduce  management  costs 
by  providing  visibility  and  control  of  all  physical  and  virtual  assets  from  a  single  vantage 

You  can  select  individual  elements  and  integrate  them  yourself  or  with  the  support 
of  an  IBM  Business  Partner.  Or  you  can  choose  an  IBM  PureFlex™  System  and 
leverage  IBM’s  expert  integration  for  an  even  simpler  experience.  Learn  more  at 
ibm.com/systems/no_compromise 

.:  r  ,■  hy  Cialrby  Analytics  says  IBM  Flex  System  is  the  best  blade  offering  in  the 
■  V  -  I  n^  v/T'narj.  the  paper  atihm.com/systems/no  compromise 


COVER  STORY 


COVER  STORY 


If  you  want  to  be  a  VP,  you  need 
exposure  to  different  parts 
of  the  organization,  and  Xerox 
is  so  large,  if  you  just  hang  out  in  your  own 
department,  you’re  not  going  to  move  forward 
in  a  constructive  way. 

i«TERACTtON  DESIGNER.  XEROX 


In  contrast,  the  industry  shift  away  from 
nuts  and  bolts  and  toward  hybrid  skill  sets  — 
including  higher'level  analytics,  {Hocess  and 
project  management,  and  user-centric  social 
and  mobile  computing  —  could  open  up  oppor- 
tunities  for  women  to  move  laterally  into  tech 
departments  from  other  ^)ecialties. 

That’s  how  it  worked 
for  Kathleen  Healy- 
CoUier.  who  holds 
bachdor’s  and  master’s 
degrees  in  healthcare 
and  is  preparing  the 
oral  defense  of  her 
Ph.D.  thesis  in 

Medical  University  of 
South  Carolina. 

Healy-CoUier  is  the 
administrative  director 
—  essentially,  the  IT  director  —  at  Le  Bonheur 
Children’s  Hosf^al,  which  is  part  t^a  five- 
hospital  coalition  in  Memphis.  She  says  that 
she  sees  more  and  more  women  in  heahhcare 
making  moves  like  hers. 

“I’ve  been  in  the  industry  for  i8  years,  and 
w^ien  I  started  out,  it  was  totally  male-domi¬ 
nated,”  says  Healy-CoUier.  “If  you  go  hack  even 
further.  30  years,  healthcare  systems  were  all 
‘man’s  work :  in  the  back  room,  with  paper-based 
records.”  The  only  integrated  daU  systems 
tended  to  be  financial  or  productkm  tools,  which 
appealed  to  a  narrow  audleiKe.  It’s  no  surprise 
the  CIO  or  IT  director  role  went  to  a  traditional 
IS  or  MIS  graduate,  most  often  a  male. 

Now,  heahhcare  is  undergoing  a  massive 
shift,  and  its  IT  sy-stems  are  chai^r^  as  well. 

“Organizations  discovered  that  you  can’t  just  put 
IT  on  top  of  medicine;  you  need  an  understaiid- 
ing  of  the  underlying  critkai  woricflow,”  Healy- 
CoUier  says.  Mote  c^en  than  not,  the  people 
with  that  clinical  background  are  foroales. 

“Administrators,  executives,  doctors  and  nurses  —  they  are 
able  to  connect  the  dots  for  rocve  technical  people.”  says  Healy- 
CoUier.  And  they  enjoy  the  work  and  are  dra^  to  it  in  the  way  that 
wouldn’t  be  true  with  a  back-office  IT  fuitction.  she  says.  “Ginicians 
tend  to  be  the  ones  who  understand  those  systems  best  but  also  to  be 
genuinely  interested  in  that  kind  of  interactivity  and  connectivity.” 

Xerox’s  Zahra  Langford  is  one  tech  employee  who  enthusi¬ 
astically  embraces  the  concept  of  hybrid  skiU  sets.  Praised  by 
Vandebroek  (her  boss’s  boss)  as  “an  amazing,  amazit^  woman,” 
Langford  started  out  as  a  theater  major  and  then  became  inter¬ 
ested  in  set  design,  which  led  her  to  Web  design.  She  did  OK  for 
herself  freelancing  in  Silicon  Valley  until  the  tech  crash  of  2002. 

At  that  point,  she  went  back  to  school  “to  try  and  get  technical 
credentials  for  what  I  was  kind  doing  aireacfy,”  she  says.  She 
earned  an  MSI  in  humarKcm^Tuter  interactkMi  foom  the  Universi¬ 
ty  Mich^an  in  2005  and  went  to  work  for  Xerox,  where  she  had 

18  COMVUTCKWORID  NOVEMBER  19,  2012 


intoned.  An  interaction  designer,  she  is  in  her  third  post  at  Xerox. 

African-American  and  openly  gay,  Langford  is  a  minority  within 
a  minority  within  a  minority  who  on  the  face  of  it  mi^t  seem 
an  odd  fit  on  Xerox’s  Rochester,  N.Y.,  campus.  But  the  company’s 
range  of  affinity  groups  have  made  her  and  her  partner  feel 
welcome,  she  says  —  and  they’ve  helped  her  develop  professionally. 

“One  thing  the  caucus  groups  do  provide  is  a  cross-company 
network,”  Langford  explains.  “If  you  want  to  be  a  VP,  you  need 
exposure  to  different  parts  of  the  organization,  and  Xerox  is  so 
large,  if  you  just  hang  out  in  your  own  department,  you’re  not 
going  to  move  forward  in  a  constructive  way.” 

Mentoring  from  women  at  the  executive  level  —  Vandebroek, 
in  particular  —  makes  a  difference  as  well,  Langford  says.  “I  had 
access  to  Sophie  even  as  an  intern.  She  was  very  involved  in  con¬ 
necting  with  people  and  asking  them  to  consider  Xerox  for  the 
long  term.  She  helped  me  realize  this  place  is  pretty  special.” 


“It’s  a  secure  container  with  an  app  that  can  send 
and  receive  corporate  email  that's  encrypted.”  says 
Perkins.  All  communications  are  routed  through 


Viiginia  University,  is  also  wary.  "1  don’t  want  my 
guys  doing  settings  on  the  personal  side  that  could 
come  back  to  haunt  us,"  such  as  accidentally  deleting 
data  or  making  configuration  changes  that  affect  how 
the  users’  personal  apps  run,  he  says. 

For  companies  in  highly  regulated  industries  that 
need  strong  security  policies  and  face  strict  compli¬ 
ance  mandates,  containerization  can  be  especially 
helpful  in  making  the  BYOD  experience  more  palat¬ 
able  for  users,  IT  leaders  say. 

Choose  Your  Container 

Vendors  offer,  in  essence,  three  different  approaches 
to  containerization:  creating  an  encrypted  space, 
or  folder,  into  which  applications  and  data  may  be 
poured;  creating  a  protective  "app  wrapper”  that 
creates  a  secure  bubble  around  each  corporate  applica¬ 
tion  and  its  associated  data;  and  using  mobile  hypervi¬ 
sors,  which  create  an  entire  virtual  mobile  phone  on 
the  user’s  device  that’s  strictly  for  business  use. 

All  of  these  approaches  offer  more  granular  contrtJ 
over  corporate  applications  and  data  on  users’  devices 
than  whatever  security  comes  standard  with  smart¬ 
phones  currently.  And  with  containerization,  users 
aren’t  limited  to  using  devices  on  an  approved  list  of 
smartphones  that  have  been  certified  and  tested  by 
IT.  because  corporate  apps  and  data  reside  inside  a 
secure,  encrypted  shell. 

However,  the  need  to  switch  back  and  forth 
between  the  business  and  personal  environments 
may  be  perceived  as  inconvenient  and  affect  overall 
user  satisfaction,  says  niillip  Redman,  an  analyst  at 

Neither  Apple  nor  Google  offer  containerization 
technology,  and  neither  would  comment  for  this 
story,  but  each  company  did  point  out  some  resources 
that  might  be  helpful  (see  story,  page  23). 

Encrypted  Folders 

The  most  mature  containerization  approach  is  the 
use  of  an  encrypted,  folder-based  container,  Redman 
explains.  AirWatch  has  such  an  offering,  and  Good 
Technology  is  an  early  leader  in  sales  to  organizations 
that  have  adopted  containerization  enterprisewide, 
particularly  within  regulated  industries. 

For  basic  mobile  access,  BNY  Mellon  uses  Good 
for  Enterprise  to  create  an  encrypted  space  on 
smartphones  within  which  users  can  run  Good’s 
email  and  calendar  client  and  use  a  secured  browser. 


proprietary 

environment.  So  for,  about  a  dozen  commercial  apps 
are  available,  includii^  QuickOffice,  which  is  typically 
used  for  reading  and  editing  downloaded  Microsoft 
Office  file  attachments. 

Perkins  is  using  Good  only  for  email  and  calen¬ 
dar  —  the  “killer  apps”  for  most  employees,  he  says 
—  and  accessing  internal,  browser-based  apps  using 
Good’s  browser. 

For  users  who  need  complete  access  to  the  corpo¬ 
rate  network,  SharePoint  and  other  services,  BNY 
Mellon  uses  Rberlink’s  MaaSsfio,  a  cloud-based 
MDM  system  that  can  take  complete  control  of  a 
user’s  device.  MaaS36o  monitors  what  gets  written  to 
and  from  the  operating  system,  and  it  blocks  access  to 
some  personal  apps,  such  as  Yahoo  Mail  and  Gmail, 
when  the  device  is  accessing  corporate  resources. 


We  can’t  afford  to  delete  things  of  a 
personal  nature  or  impede  [end  users’] 
ability  to  use  their  personal  asset 

RYAN  TtRRV.  DIVISION  CIO  AND  CSO.UNIVERSITV  HOSPITALS  health  t 


"When  it’s  on  our  network,  we  own  it  and  control  / 
it,”  says  Perkins.  When  used  in  personal  mode,  indi¬ 
viduals  have  control  over  which  apps  they  can  use. 

What’s  mote.  BNY  Mellon  may  wipe  devices  — 
including  all  personal  apps  and  data  —  that  ate  lost 
or  stolen,  although  MaaSsbo  and  most  other  major 
MDM  tools  do  allow  selective  wipes.  Citing  security 
concerns,  Perkins  declined  to  say  how  many  times 
the  company  has  had  to  wipe  phones. 

In  contrast,  only  the  corporate  container  is  wiped 
from  lost  or  stolen  devices  that  just  have  email  and 
calendar  access  via  the  Good  technology. 

App  Wrapping 

A  newer,  mote  granular  approach  is  to  enclose 
individual  apps  in  their  own  encrypted  policy  wrap¬ 
pers,  or  conuiners.  This  allows  administrators  to 
tailor  policies  to  each  app.  The  market  for  tools  that 
support  app  wrapping  is  dominated  by  small  vendors 
with  proprietary  ptoducU,  including  Mocana,  Bitzet 


21 


MOBILE  &  WIRELESS 


Mobile,  OpenPeak  and  Nukona  (which  was  recently 
acquired  by  Symantec). 

For  its  part,  RIM  is  working  on  adding  this  capa¬ 
bility  to  its  BlackBerry  Mobile  Fusion  MDM  soft¬ 
ware.  (Mobile  Fusion  works  with  Android  and 
iPhone  devices  in  addition  to  BlackBerries.)  Peter 
Devenyi,  senior  vice  president  of  enterprise  software 
at  RIM,  says  the  company's  oSmng  will  be  “a  con¬ 
tainerized  solution  where  one  can  wrap  an  applica¬ 
tion  without  the  need  to  modify  source  code  so  you 
can  rim  it  as  a  corporate  application  and  manage  it 
as  a  corporate  asset.” 

With  app-wrapping  tools,  "you  can  put  together  a 
pretty  complete,  fully  wrapped  productivity  suite  that’s 
encrypted  and  controllable,”  says  Jeff  Fugitt,  vice  pres¬ 
ident  of  marketing  at  mobile  integrator  Vox  Mobile. 
But  the  technology  has  not  been  widely  adopted. 

Forrester  analyst  Christian  Kane  de^b«  app 
wrapping  as  an  "application-level  VPN"  that  leB 
administrators  set  policies  to  determine  what  the  app 
can  interact  with  on  the  user’s  device  or  on  the  Web, 
and  what  access  the  app  has  to  back-end  resources.  It 
also  allows  for  remote  wiping  of  the  container,  includ¬ 
ing  the  app  and  any  associated  data. 

"Application  wrapping 

existence  of  competing 
architectures  in  this  nascent 
market  is  holding  back 
growth,  says  Gartner’s 
Redman.  But,  he  adds,  app 
wrapping  will  eventually  be 
more  widely  adopted  when 
the  technology  is  integrated 
into  the  larger  and  more 
established  MDM  platforms. 
The  downside  to  app  wrap¬ 
ping  is  that  each  application  must  be  modified,  which 
means  administrators  need  access  to  the  app’s  binary 
code.  That  means  some  apps  that  come  preinstalled 
on  Android  or  iOS  phones  may  i»t  be  supported. 

Also,  implementations  may  work  more  smoothly 
with  Android  devices  than  with  iOS  because  of 
problems  getting  binary  code  for  a(^  sold  via  Apple’s 
App  Store.  For  this  reason,  wrapping  tools  tend  not 
to  work  with  iPhone  apps.  For  example,  Mocana’s 
Mobile  App  Protection  product  doesn’t  support  the 
email  client  on  the  iPhone  —  or  other  built-in  apps, 
for  that  matter. 

Users  can  get  access  to  the  binary  code  for  free  iOS 
apps,  but  for  App  Store  wares  that  must  be  pur¬ 
chased,  IT  needs  an  agreement  to  buy  direct  from  the 
provider  and  bypass  Apple’s  store. 

Apple  currently  turns  a  blind  eye  to  users  who 
employ  app  wrapping  or  change  apps  bought  from  its 
App  Store,  "but  by  their  rules,  you’re  not  supposed  to 
do  that,”  says  Redman.  "They  could  clamp  down  and 
not  allow  that,  although  so  fit  they  haven’t.”  Apple 
declined  to  comment  (see  story,  page  23). 


Application 
wrapping  is 
not  mature. 


Mobile  Hypervisors 

The  third  approach  to  containment  is  to  create  a 
virtual  machine  that  includes  its  own  instance  of 
the  mobile  operating  system  —  a  virtual  phone 
within  a  phone.  This  requires  that  the  vendor  work 
with  smartphone  makers  and  carriers  to  embed  and 
support  a  hypervisor  on  the  phone.  Such  technology 
isn’t  generally  available  yet,  but  devices  that  su(^rt 
a  hypervisor  may  eventually  allow  users  to  separate 
personal  and  business  voice  and  data. 

VMware  is  developing  an  offering  called  VMware 
Horizon.  It  will  support  Android  and  iOS,  and  func¬ 
tion  as  a  Type  2  hypervisor,  which  means  the  virtual 
machine  runs  as  a  guest  on  top  of  the  native  installa¬ 
tion  of  the  device’s  operating  system. 

Having  a  guest  OS  run  on  top  of  a  host  operating 
system  tends  to  consume  mote  resources  than  a 
Type  1  "bare  metal"  hypervisor  that’s  installed 
directly  on  the  mobile  device  hardware.  It’s  also 
considered  a  less  secure  approach,  since  the  host 
operating  system  could  be  compromised,  creating  a 
path  of  attack  into  the  virtual  machine. 

Another  vendor.  Open  Kernel  Labs,  offers  a  Type  1 
hypervisor  that  it  calls  “defense-grade  virtualization." 
Open  Kernel’s  technology  is  currently  used  mostly  by 
mobile  chipset  and  smartphone  manufacturers  that 
serve  the  military.  The  company  has  yet  to  break  into 
the  commercial  market,  says  R^man. 

Developing  a  Type  1  hypervisor  that  interacts 
directly  with  the  hardware  is  impractical,  says  Ben 
Goodman,  lead  evangelist  for  VMware  Horizon. 

“We  moved  to  a  Type  2  hypervisor  because  the  speed 
at  which  mobile  devices  ate  being  revised  makes  it 
neatly  impossible  to  keep  up,"  he  says. 

As  for  security.  VMware  is  working  on  an  encryp¬ 
tion  approach  similar  to  the  Trusted  Computing 
Group’s  TYusted  Platform  Module  standard.  It’s  also 
researching  jail-break  detection. 

PerfotmaiKe  won’t  be  a  problem,  says  Goodman, 
vowing  that  “VMware  Horizon  is  optimized  to  run 
extremely  well.”  But  VMware  declined  to  provide  the 
names  of  early  adopters  who  could  discuss  the  product. 

Israeli  startup  Cellrox  offers  its  own  twist  on  virtu- 
af  ization  for  Android  devices.  The  technology,  called 
ThinVisor,  was  developed  at  Columbia  University.  It’s 
neither  a  Type  1  nor  a  Type  2  hypervisor,  but  “a  differ¬ 
ent  level  of  virtualization  that  resides  in  the  OS  and 
allows  muhiple  instances  of  the  OS  using  the  same 
kernel,”  says  Cellrox  CEO  Omer  Eiferman.  The  vendor 
ofers  ThinVisor  to  cellular  service  providers,  smart¬ 
phone  manufacturers  and  large  enterprise  customers. 

Problems  and  Promise 

One  problem  with  containerization  is  that  not  all 
products  support  iOS,  which  powers  iPhones,  the 
smartphones  most  commonly  found  in  enterprises. 
WhUe  Apple  has  a  22%  share  of  the  worldwide 
smartphone  market,  compared  with  50%  for  Android 
devices,  those  Egures  ate  reversed  in  the  enterprise: 


22  CO.PUT»«..l. 


Career 

Mappirg 

DONE  RIGHT 


Specially  designed  development  plans 

help  tech  workers  navigate  the  choppy 
waters  of  IT  employment.  bymaryk.pratt 


HAT'S  HY  NEXT  MOVE?” 

At  some  point  in  their  careers, 
most  IT  professionals  will  ask 
this  question  of  their  manag¬ 
ers  —  and,  unfortunately,  many 
managers  will  be  ill  equipped  to 
answer  in  depth.  Either  they  won’t  have  a  good  grasp 
of  the  employee’s  talents,  interests  and  goals,  or  they 
will  lack  details  on  potential  career  paths  within 
their  companies  —  or  both. 

Linda  Tedlie  is  one  IT  leader  who  doesn’t  have 
that  problem.  When  an  employee  recently  asked  her 
the  "what’s  next”  question,  Tedlie,  a  senior  manager 
in  career  development  at  Kimberly-Clark’s  Informa¬ 
tion  Technology  Services  (ITS)  organization,  pulled 
up  a  career  map  for  that  worker. 

She  was  able  to  discuss  the  employee’s  existing 
role  and  capabilities  and  identify  other  positions  at 
the  Dallas-based  paper  products  maker  that  matched 
that  indhidual’s  skills  and  aspirations.  Then  she 
could  plan  the  steps  the  employee  should  take 
to  reach  a  taiget  position  —  a  more  senior  IT  job 
within  Kimberly-Clark’s  mergers  and  acquisitions 
department. 

Career  mapping,  or  pathing,  as  it’s  sometimes 
known,  originated  in  the  field  of  human  resources 
and  has  since  branched  out.  It’s  particularly  valuable 


24  COMVUTEIIWONIO  NOVEMBER  19.  2( 


to  larger  organizations  that  are  seeking  to  institutionalize  their 
career  management  programs,  enhance  their  workforce  develop¬ 
ment  and  succession  plannii^  strategies,  and  cut  down  on  costly 
employee  defections,  according  to  Ginny  Clarke,  president  and 
CEO  of  Talent  Optimization  Partners  in  Chicago  and  author  of 
Career  Mapping:  Charting  Your  Course  in  the  New  World  o/ Work. 

Smaller  companies,  Clarke  observes,  are  less  likely  to  have 
formal  career-mapping  programs  simply  because  they  have  fewer 
internal  opportunities  to  track. 

A  career  map  pulls  together  different  sets  of  information  to 
give  employees  and  their  managers  a  view  of  where  they  are, 
where  they  can  go  and  how  to  get  to  the  jobs  they  want. 

Clarke  says  that  companies  generally  have  compiled  some  of 
those  pieces  —  usually  lists  of  jobs  in  the  organization  and  the 
competencies  required  for  each  one,  phis  resumes  for  individual 
workers.  But  up  until  now,  few  employers  have  put  together  all  of 
the  pieces  —  the  lists  of  jobs  and  resumes  phis  other  information, 
such  as  new  skills  employees  have  acquired  or  their  latest  career 
aspirations  —  to  create  a  holistic  view  of  potential  career  progres¬ 
sion  based  on  skills,  competencies  and  goals. 

these  elements:  historical  plotting  (which 
matches  job  titles  to  competencies),  a  list  of 
aspirations,  a  skills-gap  analysis,  a  plan  to  add 
competencies,  a  target  list  of  companies  and 
positions  to  research  and  track,  and  specific 
networking  goals. 

It’s  a  trend  Clarke  hopes  will  catch  on. 

“I'd  love  to  see  more  IT  managers  take  more 
ownership  of  these  activities  because  they 
are  so  critical  to  the  performance”  of  the  IT 
team,  she  says.  “You  need  to  find  a  CIO  — 
and  a  CEO  —  who  values  [mapping],  then  it 
will  trickle  down." 

Setting  Expectations 

At  Kimberly-Clark,  which  has  56,000  em¬ 
ployees,  every  department  has  a  process  in 
place  to  help  people  advance  their  careers,  but  ITS  decided  three 
years  ago  to  further  enhance  the  system  for  its  900  workers. 

Using  a  new  tool  called  Skills  Framework  (or  the  Information 
Age  (SFlAplus),  ITS  created  a  platform  that  allows  IT  employees 
to  build  detailed  individual  development  plans,  explains  Gene 
Bernier,  director  of  the  Program  Management  Office,  an  80- 
employee  team  within  ITS. 

The  platform  "gives  individuals  a  different  perspective,  one 
they  wouldn't  have  had  otherwise.  It  opens  up  lines  of  commu¬ 
nication,  and  it  [gives  people]  more  control  over  their  career  de¬ 
velopment,”  says  Bernier,  who  spearheaded  the  career  mapping 
effort  in  the  IT  department. 

Like  Kimberly-Clark,  Mueller  Water  Products  previously 
plotted  courses  for  professional  growth  for  employees  but  has 
recently  adopted  a  more  disciplined  and  detailed  approach  to 
mapping  possible  opportunities  —  and  expectations  —  for  em¬ 
ployees,  says  senior  vice  president,  CTO  and  CIO  Robert  Keefe,  a 
past  chairman  of  the  Society  for  Information  Management. 

"If  there's  a  geographic  move  required,  if  there's  a  move  out  of 
IT  that's  expected,  career  mapping  sets  [those]  expectations  with 
the  individual.  We  lay  out  what  the  possibilities  are,”  Keefe  says. 


The  Atlanta-based  water  infrastructure  company  launched 
its  version  of  career  mapping  several  years  ago  with  UAchieve,  a 
program  supported  by  senior  leadership  and  executed  by  the  FIR 
department.  Like  many  oiganizations,  Keefe  says,  Mueller  Water 
Products  separates  this  process  from  annual  reviews  and  merit- 
pay  increases  to  help  keep  the  focus  on  long-term  visions  and  not 
on  year-to-year  objectives. 

The  program  —  which  all  IT  workers  are  expected  to  partici¬ 
pate  in  —  collects  information  about  individual  employees  and 
their  current  positions  and  skills.  Keefe  explains  that  some  of 
the  information  may  have  been  on  employees'  rdsumds,  but  it 
didn't  get  incorporated  into  a  system  where  it  would  be  accessible 
and  transparent.  For  example,  some  staffers  could  speak  foreign 
languages  but  not  many  people  knew  that  they  had  those  skills 
before  UAchieve  was  deployed. 

As  part  of  the  process.  Keefe  says,  employees  are  asked  to  con¬ 
sider  certain  scenarios,  such  as  whether  they're  willing  to  move 
to  another  city  or  uke  a  position  in  another  business  division  to 
gain  skills  required  for  future  positions. 

Based  on  the  collected  information.  Keefe 
says  the  company  works  with  individuals  at 
all  levels,  including  managemenL  to  deter¬ 
mine  what  opportunities  are  available  for 
them  down  the  road  and  what  they  can  do  to 
be  ready  for  them. 

Benefits  to  the  company  include  improved 
succession  planning  and  a  vibrant  workplace 
of  challenged,  engaged  employees,  Keefe  says. 

But  there  can  be  downsides  to  career 
mapping  for  employers,  he  warns.  At  Mueller 
Water,  a  midlevel  IT  manager  realized  after 
he'd  completed  the  mapping  process  that  the 
company  didn’t  have  the  positibo  he  aspired 
to.  So  the  10-year  veteran,  whom  Keefe  says 
he  saw  as  a  future  IT  leader,  took  a  job  at 
another  company  where  he  could  gain  the 
skills  he  needed  to  do  what  he  wanted,  which 
was  to  run  a  manufacturing  facility. 

IT  leaders  who  use  career  mapping  say  oiganizations  can't  rely 
on  employee  input  alone  if  they  want  such  programs  to  succeed. 
Company  leaders  must  also  go  through  the  exercise,  with  the 
goal  of  understanding  and  articulating  the  requirements  of 
different  positions  and  then  outlining  the  skills  and  experience 
requited  to  do  each  job. 

That  process  “helps  the  organization  answer  the  question 
'What  kind  of  talent  do  we  need?'  ”  says  Caela  Farren,  president 
of  MasteryWoiks,  a  career  and  talent  management  consulting 
firm  in  Falb  Church,  Va. 

potencies  requited  for  particular  jobs,  the  positions  that  will  be 
key  for  future  growth  and  development,  and  any  new  positions 
that  will  come  into  existerKe  —  plus  the  skills  and  accomplbfi- 
menls  that  will  qualify  people  for  those  jobs. 

With  all  of  that  information  spelled  out  in  one  place,  managers 
can  easily  identify  what  staff  resources  theyll  need  going  forward 
and  whether  they  have  that  ulent  in-house  or  will  have  to  seek  it 
elsewhere.  • 

Pratt  is  a  Computerworld  contributing  writer  in  Waltham,  Mass.  You 
con  contact  her  at  marykpratl@verizon.net. 


[Mapping]  helps 
the  organization 
answer  the 
question  *What 
kindoftaient  do 
we  need?' 

CAELA FARRENy 


25 


Trouble 

Ticket 


journal 

Not-So-Innocent  Distribution  Lists 


$  EVEIIVTHINC  a  potential  seen 
rity  vulnerability?  Is  there  nothing 
that  a  security  manager  shouldn't 
look  at  with  suspicion? 

What,  for  example,  could  seem 
iruiocem  than  an  email  distribution 
list?  Such  lists  are  convenient  and  ubiqui¬ 
tous,  and  in  a  company  of  any  size  at  all, 
indispensable.  Th^  let  you  send  an  email 
to  everyone  in,  say,  marketing,  by  just 
putting  the  name  of  the  marketing  group 
in  your  email’s  “to”  fidd.  You  don’t  have  to 
wony  about  leaving  anyone  out,  as  long  as 
your  company’s  Exchatige 
or  Notes  administrator 
sees  to  it  that  the  lists  are 
kept  up  to  date.  They  cer- 
uiiily  don’t  seem  suspect. 

Last  week,  however,  distribution  lists 
were  implicated  when  we  looked  into 
something  that  turned  out  to  be  a  rather 
brazen  phishing  expedition. 

It  started  with  the  help  desk  receiving 
emails  from  several  employees  complain¬ 
ing  that  they  were  unable  to  access  our 
company’s  payroll  website  and  that  they 
had  gotten  emails  stating  that  either  the 
certificate  used  to  access  the  payroll  site 
had  expired  (and  they  needed  to  click 
on  a  link  to  validate  the  certificate)  or 
the  password  for  the  site  had  expired 


(and  they  needed  to  log  in  to  change  the 
password).  That  sounded  like  phishing  to 
me,  and  sure  enough,  when  I  moved  my 
curser  over  the  link  in  the  email,  a  very 
different  Web  address  was  displayed. 

Wanting  to  know  more,  we  investi¬ 
gated  the  link.  What  we  found  was  that 
any  user  who  had  done  the  same  was 
encouraged  to  install  a  file.  We  then 
downloaded  the  file  in  a  secure  environ¬ 
ment  for  forensic  analysis  and  identified 
it  as  a  piece  of  malicious  software  for 
connecting  to  a  site  in  China.  It  looked 
as  if  the  idea  was  to 
trick  unsuspecting  users 
into  making  their  PCs 
available  to  a  command- 
and-control  networic 
operated  out  of  China.  Fortunately,  our 
endpoint  protection  client  is  able  to 
detect  the  software  and  prevent  it  from 
executing.  Unfortunately,  at  any  given 
time,  about  6%  to  7%  of  our  desktops  ate 
not  protected  or  haven’t  been  updated 
with  the  proper  pattern  files,  so  there  is 
the  possibility  that  some  machines  on 
our  network  are  now  zombies. 

But  what  does  any  of  this  have  to 
do  with  distribution  lists?  Well,  the 
phishing  email  was  sent  to  an  externally 
available  distribution  list  with  more  than 


900  users.  That  made  it  easy  for  us  to 
determine  which  machines  might  be 
compromised,  so  we’ll  be  able  to  check 
each  one  and  make  sure  it  has  the  proper 
endpoint  protection  client  installed. 

Rein  In  Those  Lists 

There  was  no  good  reason  Ibr  this  distri¬ 
bution  list  to  be  externally  available.  That 
led  me  to  ask  our  email  administrators 
how  many  of  our  distribution  lists  are 
configured  similarly.  The  answer  was 
astonishing:  We  have  more  than  3,000 
distribution  lists  (and  just  4,000  employ¬ 
ees,  mind  you),  and  more  than  400  of 
them  ate  externally  available.  I  can’t  see 
any  reason  why  our  external  partners 
would  need  more  than  20  or  30  lists. 
Clearly,  we  have  a  process  problem. 

In  fact,  some  of  our  help  desk  stafiers 
have  been  marking  distribution  lists  as 
externally  available  by  default.  They  will 
be  educated  to  do  otherwise.  We  are  also 
going  to  audit  all  of  the  externally  avail¬ 
able  lists  and  eliminate  any  for  which 
there  is  no  business  justification.  From 
now  on,  no  distribution  list  will  be  exter¬ 
nally  available  without  my  approval. 

To  ensure  compliance.  I’m  having  our 
security  analyst  investigate  whether  we 
can  use  our  security  incident  and  event 
management  tool  to  alert  us  when  a 
newly  created  distribution  list  is  marked 
as  “externally  available.”  I’ve  also  asked 
our  email  administrators  to  investigate 
why  our  external  spam-filtering  service 
didn’t  protect  us  from  this  attack.  And 
finally,  this  is  a  great  opportunity  to 
send  out  a  global  email  to  warn  everyone 
about  phishing  attacks  and  provide  tips 

This  week’s  journal  is  written  by  a  real 
security  manager,  “Mathias  Thurman,” 
whose  name  and  employer  have  been 
disguised  for  obvious  reasons.  Contact  him 


Distribution  lists  were  implicated  When  we 
looked  into  a  rather  brazen  phishing  attempt 


26 


Careei 

Watcl 


IT  Jobs:  The  Hot- 
And  Not  So  Hot 


Todds. 

Coombes 


The  CIO  at  C\’0  Financial 
Croup  answers  (inesfions 
aboui  finding  a  mentor  and  ehooslnii 
between  <  ^  ' i  nl! i*. -  ^nd  bebr^  an  employee. 


you  admire  most  and  would  get  the 
greatest  benefit  from.  Aporoach  tbem 
oneatatime.staningat 
the  top  of  your  list.  (And 
before  you  approach 


ond  person  on  your  list 
urnil  you've  heard  from 
the  first,  or  you  could 


Tetecommunlations 
specialist  1 

Technical  writer  3 


OPINION 

m  ANNIE 


Personal  Syncing  to  the 
Cloud  Is  Broken;let's  Fix  It 


Vendors  seem 
to  be  more 
interested  in 
positioning  their 
wares  than  in 
delivering  true 
integration. 


scot  Finnic  is 

Computermxld's 

You  can  contaci 
him  at  sfinnie@ 
compulerworld.com 
and  foliow  him  on 
Twitter  OScotFinnie). 

32  CO.FUTC..O.. 


The  free  web  services  that  sync  your  personal  data  —  contacts, 
calendar,  bookmarks,  email  —  to  the  cloud  promise  device  inde¬ 
pendence.  That’s  very  attractive  in  an  age  when  many  of  us  have 
two,  three  and  even  four  computing  devices. 


For  many  years,  my  personal  productivity  Holy 
Grail  was  to  make  all  my  data  accessible  at  all 
times.  That  pursuit  led  me  down  interesting  paths, 
ones  that  sometimes  went  against  IT  policies.  I 
BYOD’d  my  work  computer  more  than  five  years 
ago,  and  today  one  machine  doubles  as  my  work 
and  home  computer.  The  email  package  running 
on  it  gathers  both  work  and  personal  email. 

I  regard  everything  I  read,  view  or  write  as 
personal  data.  Those  things  often  relate  to  more 
structured  personal  data,  such  as  contacts,  calen¬ 
daring  and  logins.  The  trouble  is,  there’s  no  single 
syncing  service  that  is  able  to  reliably,  and  without 
fuss,  sync  even  most  of  these  data  types  to  the 
cloud.  Even  wtxse,  the  current  crop  of  data-syncing 
services  don’t  play  nicely  with  one  another. 

The  one  that  comes  closest  to  being  a  unified 
service  is  iCkrud.  Basic  syncing  services  for  contacts, 
reminders,  notes  and  file  storage  ate  easy  to  set  up, 
and  they  work  well  enough  But  iCIoud’s  email  and 
calendar  syncing  are  quite  limited.  And  while  iCIoud 
works  well  with  all  types  of  devices,  it’s  nearly 
useless  if  those  devices  didn’t  come  bom  Apple. 
Android  need  not  apply.  If  your  PC  runs  Windows  7 
or  Vista,  you  can  use  a  limited  version  of  iCIoud. 

Microsoft’s  Windows  Live  offers  cloud-based 
file  storage  and  webmail,  but  it’s  fiedgling  at  best. 
Office  365  has  more  of  the  right  stuff,  but  it’s  not  a 
free  service;  prices  start  at  $4  a  seat  per  month. 

Goo0e  doesn’t  offer  unified  data  syncing  like 
iCIoud.  but  its  applications  and  services  are  pow¬ 
erful  and  mature.  Google’s  contacts,  calendaring, 
file  storage,  IMAP  and  webmail,  and  Web-based 


document  software  suite  are  all  solid.  Windows 
users  can  sync  Google  contacts  and  calendars 
with  Outlook.  Mac  users  can’t,  however. 

It’s  an  old  story:  The  vendors  behind  syrK 
services  seem  to  be  more  interested  in  position¬ 
ing  their  wares  against  those  of  their  competitors 
than  in  delivering  solid  services  that  integrate 
with  a  variety  of  platforms  and  syncing  scenarios. 

Here’s  why  calendar  syncing  among  iCal, 
jCoogle  Contacts  and  Mac  Outlook  2011  doesn’t 
^ork:  Microsoft  doesn’t  support  the  CalDAV 
protocol  in  Mac  Office  2011.  (Why?  It  does  in 
Outlook  2010  for  Windows.)  Apple  abandoned  its 
own  Apple  Sync  Services  (which  Office  20U  does 
sugqwrt,  ironically)  in  favw  of  its  own  flavor  of 
CalDAV  —  which  oddly  won’t  sync  with  Google’s 
CalDAV-based  calendar.  And  Google  hasn’t  pro¬ 
vided  Mac  support  for  its  Google  Sync  utility.  It 
would  seem  th^  don’t  want  it  to  work. 

Making  cloud-based  personal  data  syncing 
viable  in  the  teal  worid  should  be  as  much  of  a 
given  as  incorporating  a  TCP/IP  stack  into  operat¬ 
ing  systems  was  during  the  mid-iqqos,  when  the 
Internet  was  becoming  prevalent. 

’The  reality  of  interconnecting  your  devices 
via  the  cloud  is  a  baby  step.  Wbat  conies  next  could 
be  transformative,  though.  We  have  little  control 
over  our  virtual  identities,  the  data  about  ourselves 
we  enter  into  websites.  Each  social  medium,  bank, 
store  and  Web  service  is  an  island  of  our  data.  Wbat 
if  we  controlled  that  centrally?  Think  about  it. 

It’s  time  to  stop  playing  around  with  freebie,  toy 
data-syncing  services.  Let’s  make  this  work.  ♦ 


5SD  840  PRO. 

Performance  at  a  different  level. 


SAIVISUIMG 


SAMSUNG 


